Exploit writers team up to target Cisco routers

LAS VEGAS In a room at the Alexis Park Hotel, a nightmare scenario for Cisco has begun to unfold.

It's Saturday night, a time for blowout parties at the annual DEF CON hacker convention, including the Goth-flavored Black and White Ball. But a half dozen researchers in the nondescript room quietly drink, stare at the screens of their laptops, and in low voices, discuss how to compromise two flat metal boxes sitting on a sofa side table: Cisco routers.

They argue that it's the logical conclusion to Cisco's attempts to censor a presentation given by Michael Lynn, a security researcher who resigned from his company, Internet Security Systems, to present his method for compromising and running code on Cisco routers at the Black Hat Security Briefings earlier this week.

The companies made good on legal threats, settling on Thursday with Lynn, who signed a permanent injunction preventing him from using the presentation or disseminating the information at either Black Hat or the following DEF CON convention.

The legal tactics acted to mobilize security researchers and hackers at the shows to glean whatever information they could about the methods used by Lynn and reproduce his work.

"It won't take us six months to figure out what Michael Lynn did and how he did it," said one of the researchers in the room. "What Cisco did was stupid. It just attracted more attention to the problem."

The loose coalition of hackers and security researchers to rediscover Lynn's method of running code on the routers is the latest incident to underscore how serious the two sides take this fight over software security. While Cisco has patched the vulnerability used by Lynn - a flaw in how the networking giant's router software handles the next-generation Internet addressing scheme known as IP version 6 - the knowledge that code can be run on Cisco routers is a lure to other hackers and security researchers.

The hackers in the room are not slouches. Several come from well-known hacking groups; others have presented at the more professional Black Hat Security Briefings that precedes the DEF CON hacker convention. The ground rules of the event were that the researchers' names and companies would not be used in this article.

Other security researchers that knew of the concerted efforts to exploit Cisco routers believe that, even with many groups working on the problem, a breakthrough will not happen soon. Few security professionals or hackers understand Cisco routers in the way the Michael Lynn does, said independent security researcher Riley "Caezar" Eller, a conference attendee.

"If you put him and a (Cisco) box in a room, the box breaks," Eller said, giving Lynn high praise.

The difficulty of the task ahead has not quieted the hackers and researchers. Cisco's strong-armed tactics were the topic of many conversations at the show. Many hackers vowed to try to reproduce Lynn's work after DEF CON ends. Such talk underscores the degree to which DEF CON attendees dislike Cisco's actions, Eller said.

"Honestly, there is enough resistance to information sharing on the part of Cisco that it seems a moral imperative to hack on Cisco and show their position - that this information can be hidden - is indefensible," Eller said. "In a connected society, the people responsible for security need to trust each other. Cisco violated that social contract." Cisco could not be reached for comment on Sunday.

Other security researchers were not shy about taking Cisco to task. Someone created t-shirts emblazoned with the words "Ciscogate" and less printable barbs and started selling the souvenirs by the end of the conference.

During her presentation at DEF CON, Internet security consultant Raven Alder summarized Lynn's findings for the audience, linked to potential vulnerabilities in Cisco's Internet Operating System (IOS) that could be used to compromise the networking giant's products, and told attendees that Cisco needed to do a lot to repair relationships with security researchers.

"Hiding your head in the sand is not going to help; suing researchers is not going to help - Cisco, you are really screwing up here," she said to enthusiastic applause.

The ill will is the result of perhaps the most comprehensive attempt to censor information in the Internet Age.

On Monday, Cisco employees ripped out the 10-page presentation from the Black Hat Conference proceedings and confiscated all the original conference CD-ROMs, replacing them with disks that did not have the controversial presentation. After Lynn unexpectedly gave his presentation, Cisco and ISS mustered their legal troops to file a temporary injunction against him. By Thursday, Lynn agreed to sign a settlement to turn over all materials and promised not to further disseminate information on the flaws or the technique he used to run code on the popular network hardware.

ISS has also actively pursued Web sites that have posted the presentation online.

Tom's Hardware, which posted photos of the slides on its site, also received a takedown notice from Internet Security Systems' law firm, Piper Rudnick Gray Cary LLP on Friday, according to documents seen by this reporter. Another Web site that posted the presentation, Infowarrior.org, removed the file after receiving a cease-and-desist notice from ISS, said Richard Forno, a security consultant and the editor of the site.

"By serving takedown notices in response to such situations, a company demonstrates clearly that it is more concerned with preserving its commercial interest in intellectual property than fostering community awareness and knowledge pertaining to critical Internet security issues," Forno said an e-mail statement.

The attempts to rein in the information, however, have failed spectacularly.

The original ISS presentation is still available on the Web site Cryptome.org and on BitTorrent. Other Web sites that have published the presentation have seen thousands of downloads, according to data from those sites.

At the DEF CON conference, asking about Lynn's Cisco presentation frequently results in a sly smile, a hand dipping into a pocket and the appearance of a mini compact disk. The video of Cisco employees ripping out the offending 10-page presentation from the Black Hat conference proceedings was shown to this reporter and will likely appear on the Internet soon.

However, no better example of the failure to censor the information appeared on a table in the Alexis Park Hotel room on Saturday night: Lynn's actual 10-page presentation.

"For years, Cisco has told you that IOS was impossible to (compromise) ... Others have come close to disproving this claim, but until now, now one has ever demonstrated reliable exploitation techniques or shellcode for IOS," the first-page abstract of the presentation states.

Around midnight, the group sequestered in the hotel room starts breaking apart, responding to the siren call of music and sounds of raucous drinking from the hotel's courtyard. They have made little progress; at most, some foundational work. One latecomer, dressed in clashing vinyl-wear, decides to stay and plug away at the problem for a bit longer. Others make vague promises to come back later and hash out more of the problem.

Yet, everyone pledges to pick the problem back up. This is one exploit technique, the researchers say, that will not stay hidden for long.